Page 20 - Cyber Warnings
P. 20
Part I: The Anatomy of a Wi-Fi Hacker in 2017
by Ryan Orsi, Director Product Management, WatchGuard Technologies
We all know the use of Wi-Fi is pervasive because people crave a constant digital connection.
So much so, that they'll spend the day jumping from free public hotspot to free public hotspot.
As a matter of fact, Wi-Fi now accounts for 60 percent of all connections to the Internet,
according to Cisco’s 2016 VNI report. The same report estimates there will be more than 540
million worldwide public Wi-Fi hotspots by 2021.
What people don’t often think about, is that public Wi-Fi comes with a dark side – it’s ripe for
exploitation by hackers. That’s right, hackers are hiding in the shadows waiting to spoof SSIDs
and launch man-in-the-middle attacks in order to gain access to devices and steal sensitive
information.
When we think about hacking, we tend to remember headline grabbing incidents, for example
Yahoo losing another billion user account identities, the Ashley Madison hack, or Russia
tampering with the U.S. Presidential Election. These attacks are generally considered layer 7
attacks, which are easier to see in the application layer. But, Wi-Fi hacking occurs much lower
in the stack, down at layer 2, or the data link layer.
Since they’re buried, they usually go unnoticed. (If you recall the OSI model is as follows: layer
1–physical, layer 2–data link, layer 3–network, layer 4–transport, layer 5–session, layer 6–
presentation and layer 7–application.) But what’s the anatomy of these layer 2 hacks?
The most commonly used Wi-Fi attack is a man-in-the-middle (MiTM) attack. A hacker spoofs a
Service Set Identifier (SSID), and a landing page if one exists, and tricks a user into connecting
to it, for example at a coffee shop. Though the victim may think they’re logging into a secure
page, they’re actually handing email and password information directly to the MiTM that’s
perfectly mimicking the “Coffee Shop” splash page.
This is also known as an evil portal, and is just one of the ways a MiTM can extract sensitive
information from a victim. All Wi-Fi hacks stem from someone (or something) becoming the
MiTM.
Another type of Wi-Fi attack is called a Karma attack. Dating back to 2005, the Karma attack
runs code on an attacker’s access point (AP) and listens for beacon requests for connections
like “Airline Wi-Fi” or “Coffee Shop.” It then begins broadcasting that SSID into the air hoping a
user associates with it.
Most devices automatically save past open SSIDs, so the next time the user is in range of the
“Free Wi-Fi Coffee Shop” SSID, the device auto-connects without asking for permission. When
Wi-Fi is left activated on a device, it sends out beacon frames into the environment looking to
see if any saved SSIDs are in range.
20 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide